Data Plane Distributed Firewall Rule Configuration

When a new load-balanced application is created on the Controller, create these rules if DFW is enabled. These rules need to be created for every new load-balanced application.


Rule	Source	Destination	Service	Apply to	Action
External Client to load-balanced application (VS)	External clients	VIP of the load-balanced application	VS ports Use the auto created `<prefix>-<VS-Name>` Service	Clients and Service Engine VMs servicing the load-balanced application Use the auto created `<prefix>-<VS-Name>VsServiceEngines` NSGroup	Allow
The Service Engines to Backend members (Pool)	The Service Engine Data IPs Use the auto created `<prefix>-<VS-Name>` NSGroup	Backend server IPs Recommended to create a NSGroup for backend servers	Backend pool ports Use the auto created `<prefix>-<Pool-Name>` Service	Backend Servers and Service Engine VMs servicing the load-balanced application Use the auto created `<prefix>-<VS-Name>VsServiceEngines` NSGroup	Allow
Inter Service Engine communication	The Service Engine Data IPs Use the auto created `<prefix>-<VS-Name>`NSGroup	The Service Engine Data IPs Use the auto created `<prefix>-<VS-Name>` NSGroup	Any	The Service Engine VMs servicing the load-balanced application. Use the auto created `<prefix>-<VS-Name>VsServiceEngines` NSGroup	Allow

When a new load-balanced application is created on the Controller, create these rules if Gateway Firewall is enabled. These rules need to be created for every new load--alanced application.

Rule	Source	Destination	Destination Port	Destination Port	Action
External Client to load-balanced application (VS)	External clients	VIP of the load-balanced application	VS ports Use the auto created `<prefix>-<VS-Name>` Service	Tier-0 connected to the Service Engine data Tier-1	Allow
East/ West traffic across Tier-1 routers	Application clients	VIP of the load-balanced application	VS ports Use the auto created `<prefix>-<VS-Name>` Service	Tier-1 routers connected to the Service Engine data and Client(s)	Allow
Backend pool member traffic across Tier-1 routers	The Service Engine Data IPs Use the auto created `<prefix>-<VS-Name>` NSGroup	Backend server IPs Recommended to create a NSGroup for backend servers	Backend pool ports Use the auto created `<prefix>-<Pool-Name>` Service	Tier-1 routers connected to the Service Engine data and backend server(s)	Allow

Rule

Source

Destination

Destination Port

Action

External Client to load-balanced application (VS)

External clients

VIP of the load-balanced application

VS ports Use the auto created <prefix>-<VS-Name> Service

Tier-0 connected to the Service Engine data Tier-1

Allow

East/ West traffic across Tier-1 routers

Application clients

VIP of the load-balanced application

VS ports

Use the auto created <prefix>-<VS-Name> Service

Tier-1 routers connected to the Service Engine data and Client(s)

Allow

Backend pool member traffic across Tier-1 routers

The Service Engine Data IPs

Use the auto created <prefix>-<VS-Name> NSGroup

Backend server IPs

Recommended to create a NSGroup for backend servers

Backend pool ports

Use the auto created <prefix>-<Pool-Name> Service

Tier-1 routers connected to the Service Engine data and backend server(s)

Allow